| 1 |
On Mon, Apr 14, 2014 at 5:54 PM, Alex Legler <a3li@g.o> wrote: |
| 2 |
> On 09.04.2014 18:39, Jo wrote: |
| 3 |
>> Hi all, this is my first post in this list, so again Hi all! |
| 4 |
>> |
| 5 |
>> I'm a bit concerned about the signing keys of the portage tree releases, |
| 6 |
>> I know that gpg is not the same as openssl but keeping in mind that SSH, |
| 7 |
>> VPN, HTTPS keys might be compromised for two years, don't you think it's |
| 8 |
>> a healthy measure to generate a new pair of keys? |
| 9 |
> |
| 10 |
> GPG private keys are kept and used nowhere near any server processes, |
| 11 |
> not transferred via HTTPS or any VPNs, and SSH is not affected. I don't |
| 12 |
> see an immediate need to rotate them. |
| 13 |
|
| 14 |
Agree. Also, in a few months whenever the new GPG policy GLEP is |
| 15 |
implemented I suspect that many keys will be regenerated anyway. |
| 16 |
|
| 17 |
Rich |
Archives